Executive Summary

Summary
Title Microsoft Jet Engine stack buffer overflow
Informations
Name VU#936529 First vendor Publication 2008-03-22
Vendor VU-CERT Last vendor Modification 2008-05-13
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 9.3 Attack Range Network
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#936529

Microsoft Jet Engine stack buffer overflow

Overview

The Microsoft Jet Engine contains a stack buffer overflow, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

I. Description

Microsoft Jet, or Joint Engine Technology, is a database engine that is used by several Microsoft products, including Access and Visual Basic. A Microsoft Access database uses the .MDB file extension by default. The Microsoft Jet Engine contains a stack buffer overflow in the handling of specially crafted database files.

Microsoft Word can link to Jet databases. In some cases, the database can be opened without prompting the user. This can allow Microsoft Word documents to be used as an attack vector for this vulnerability. Microsoft Outlook can also be used as an attack vector by either opening a specially crafted email message or by viewing such a message in the preview pane.

II. Impact

By convincing a user to open a specially crafted Word document or Jet database, such as a Microsoft Access .MDB file, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system.

III. Solution

Apply an update

This issue is addressed in Microsoft Security Bulletin MS08-028.

Block MDB files from being processed through your mail infrastructure

To detect Jet files that have possibly been renamed to another file type, search for files with any of the following 15-byte signatures at location 0x4 (no quotes):

    "Jet System DB  "
    "Standard Jet DB"
    "Temp Jet DB    "
    "MSISAM Database"
Configure Microsoft Outlook to view and edit email messages in plain text

According to Microsoft, this can be accomplished in the following ways:

Manual (User Interaction)
    Enterprise Users follow these steps to disable the Outlook feature to use Word as mail editor:

    1. Restart the machine.
    2. Open Outlook
    3. Click Tools, click Options, and then click the Mail Format tab.
    4. Clear the Use Microsoft Word to edit e-mail messages check box.
    5. Clear the Use Microsoft Word to read Rich Text e-mail messages box.
    6. Exit Outlook.
    7. Restart the machine.

    Impact of Workaround: Users will not be able to use Word as their e-mail editor or use Rich Text to read their e-mail
Using Group Policy
    Domain administrators can use Group Policy to disable Word as the users e-mail editor. You do not have to restart the computer to implement this mitigation.
    For information on using registry keys with a Group Policy see Using Administrative Template Files with Registry-Based Group Policy and Distributing Registry Changes.

    Disable WordMail in Word 2003

    Windows Registry Editor Version 5.00

    [HKEY_CURRENT_USERSoftwareMicrosoftOffice11.0OutlookOptionsMail]
    "EditorPreference"=dword:00020000
    "UseWordMail"=dword:00000000

    Disable WordMail in Word 2002

    Windows Registry Editor Version 5.00

    [HKEY_CURRENT_USERSoftwareMicrosoftOffice10.0OutlookOptionsMail]
    "EditorPreference"=dword:00020000
    "UseWordMail"=dword:00000000

    Impact of Workaround: Users will not be able to use Word as their e-mail editor or use Rich Text by default to read their e-mail.
Restrict the Microsoft Jet Database Engine from running

To implement the workaround, enter the following command at a command prompt:

echo y| cacls "%SystemRoot%system32msjet40.dll" /E /P everyone:N

Systems Affected

VendorStatusDate Updated
Microsoft CorporationVulnerable13-May-2008

References

http://www.kb.cert.org/vuls/id/176380
http://www.microsoft.com/technet/security/Bulletin/ms08-028.mspx
http://blogs.technet.com/msrc/archive/2008/03/24/update-msrc-blog-microsoft-security-advisory-950627.aspx
http://www.microsoft.com/technet/security/advisory/950627.mspx
http://support.microsoft.com/kb/930508
http://www.symantec.com/enterprise/security_response/weblog/2008/03/another_reason_why_microsoft_s.html
http://ruder.cdut.net/blogview.asp?logID=227
http://archives.neohapsis.com/archives/fulldisclosure/2007-11/0392.html

Credit

This vulnerability was publicly reported by cocoruder.

This document was written by Will Dormann.

Other Information

Date Public11/16/2007
Date First Published03/22/2008 12:32:16 PM
Date Last Updated05/13/2008
CERT Advisory 
CVE NameCVE-2007-6026; CVE-2008-1092
US-CERT Technical Alerts 
Metric58.22
Document Revision36

Original Source

Url : http://www.kb.cert.org/vuls/id/936529

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:5578
 
Oval ID: oval:org.mitre.oval:def:5578
Title: Microsoft Jet Engine MDB File Parsing Stack Overflow Vulnerability
Description: Stack-based buffer overflow in Microsoft msjet40.dll 4.0.8618.0 (aka Microsoft Jet Engine), as used by Access 2003 in Microsoft Office 2003 SP3, allows user-assisted attackers to execute arbitrary code via a crafted MDB file database file containing a column structure with a modified column count. NOTE: this might be the same issue as CVE-2005-0944.
Family: windows Class: vulnerability
Reference(s): CVE-2007-6026
 Version: 3
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
 Product(s): Microsoft Jet 4.0 Database Engine
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1
Application 1
Application 6
Os 1
Os 1
Os 1
Os 1

SAINT Exploits

Description Link
Microsoft Jet Engine MDB file ColumnName buffer overflow More info here

OpenVAS Exploits

Date Description
2008-09-03 Name : Windows Vulnerability in Microsoft Jet Database Engine
File : nvt/win_CVE-2007-6026.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
44880 Microsoft Windows msjet40.dll MDB File Handling Overflow

A remote overflow exists in Microsoft Jet (msjet40.dll). The DLL fails to bounds check user-supplied data resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.
43464 Microsoft Jet Database Engine Word File Handling Unspecified Code Execution

Information Assurance Vulnerability Management (IAVM)

Date Description
2008-05-15 IAVM : 2008-A-0030 - Microsoft Jet Database Remote Code Execution Vulnerability
Severity : Category II - VMSKEY : V0016013

Snort® IPS/IDS

Date Description
2014-01-10 Microsoft Office Access MSISAM file magic detected
RuleID : 23718 - Revision : 7 - Type : FILE-IDENTIFY
2014-01-10 Microsoft Office Access TJDB file magic detected
RuleID : 23717 - Revision : 7 - Type : FILE-IDENTIFY
2014-01-10 Microsoft Office Access JSDB file magic detected
RuleID : 23716 - Revision : 7 - Type : FILE-IDENTIFY
2014-01-10 Microsoft Office Access file magic detected
RuleID : 23715 - Revision : 8 - Type : FILE-IDENTIFY
2015-05-28 Microsoft Access hciR obfuscated download attempt
RuleID : 13634 - Revision : 5 - Type : WEB-CLIENT
2014-01-10 Microsoft Office Access MSISAM file magic detected
RuleID : 13633 - Revision : 18 - Type : FILE-IDENTIFY
2014-01-10 Microsoft Office Access TJDB file magic detected
RuleID : 13630 - Revision : 18 - Type : FILE-IDENTIFY
2014-01-10 Microsoft Office Access JSDB file magic detected
RuleID : 13629 - Revision : 18 - Type : FILE-IDENTIFY
2014-01-10 Microsoft Office Access file magic detected
RuleID : 13626 - Revision : 22 - Type : FILE-IDENTIFY

Nessus® Vulnerability Scanner

Date Description
2008-05-13 Name : Arbitrary code can be executed on the remote host through the database engine.
File : smb_nt_ms08-028.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
Date Informations
2015-04-15 13:28:39
  • Multiple Updates
2013-05-11 00:57:29
  • Multiple Updates